The Duke community should be wary of email links from unfamiliar addresses—even if they seem to be from Duke-affiliated groups.
A phishing attack last week marked the latest of four major cases since December that have sought to garner Duke NetIDs and passwords to send spam messages from the compromised email accounts, said Cara Bonnett, Office of Information Technology managing editor. Phishing is a form of online fraud designed to convince recipients to divulge personal data such as Social Security numbers and bank account information. Between 10 and 50 accounts of Duke staff, faculty, students and alumni were compromised in each of the four attacks.
“If you provide your account information to a nefarious website that is linked in a phishing message, your Duke account could be compromised—including your email,” Bonnett said. “The attacker could use these credentials to attempt to log into other services like Facebook or Gmail.”
People who followed the links from the messages and entered their Duke account information granted phishers access to their accounts, Bonnett noted. Phishers used the accounts to send thousands of spam emails to their contacts. At one point, 300,000 such spam messages were in the mail system.
The attack last week took form in two phony emails, according to a release from the Information Technology Security Office. One was sent from an account claiming to be the OIT help desk and attempted to trick Duke community members into submitting their NetID and password in order to validate their identity. The other phishing message was sent from a non-existent social media organization called Duke Collaborative Networks, which advertised a new form of social networking that would allow patrons to share professional resources.
Bonnett added that some phishing messages can install malware—malicious software that can steal financial information and gain access to bank accounts.
Freshman Dan Sykora, whose email account was compromised in the most recent phishing attack, said that all of his most recently messaged contacts—including his academic adviser, friends and people outside of the Duke community—received spam messages from his account.
“There were two emails sent out from my account when it was hijacked—one to the people I most recently emailed and one to those who most recently emailed me,” he said. “The second email sent out contained a link to a sex dating website, and one of the recipients was a Pratt [School of Engineering] dean, so that was very embarrassing.”
Sykora said he cleared out his entire inbox and outbox and changed his password in order to protect against any other unwanted tampering of his account, adding that he issued an apology email to the affected contacts.
OIT is actively implementing cutting-edge measures to combat phishing attacks in the Duke community, Bonnett said. But phishers change their tactics and messages often, which could result in some emails getting through the University’s security measures.
“For the most part, the mail system blocks or eliminates a significant amount of such messages,” she noted.
Bonnett added that if a Duke faculty, staff or student account is compromised, Duke locks the account until the affected person can be contacted and assisted in resetting his or her account password. To avoid the issue of phishing in the first place, people should be very careful when dealing with emails from unknown senders.
“Remember that Duke—and all valid companies or organizations—will never ask for your password or account information in an email,” she said.
As OIT is addressing phishing, they are also working on improving Duke’s Wi-Fi network, she added. Last Wednesday, major renovations were done to the network to improve its performance.
“OIT was responding to network alarms... that suggested issues with the Wi-Fi network,” she noted. “We took corrective measures to both block potentially harmful traffic and add resources.”
Get The Chronicle straight to your inbox
Signup for our weekly newsletter. Cancel at any time.